A couple of weeks ago, Atul Agarwal of Secfence privately reported me a ClearClick bypass based on tracking user's mouse movements and dynamically putting an extremely small click target just under his pointer. Even though it required the attacker's page to be whitelisted and run JavaScript, I deemed this bug deserved to be fixed ASAP because ClearClick, like most web application security countermeasures offered by NoScript (e.g. anti-XSS, ABE or HTTPS enforcement) is guaranteed to work independently from script permissions, i.e. even if you allow scripts globally. Atul kindly accepted to coordinate the disclosure, so I immediately released the 2.0.9.7rc1 development build with the bug fix, and all the user base was automatically updated with the stable 2.0.9.7 release about one week later.